Hi Moemen, On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI <mmhed...@haproxy.com> wrote: > > > On 11/14/18 1:34 AM, Igor Cicimov wrote: > > On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov <ig...@encompasscorporation.com> > wrote: >> >> Hi, >> >> # haproxy -v >> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 >> Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org> >> >> I noticed that in case of multiple domains and OCSP setup: >> >> # ls -1 /etc/haproxy/ssl.d/*.ocsp >> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp >> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp >> /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp >> /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp >> >> I get OCSP response from haproxy only for one of the domains >> domain.com. Tested via: >> >> $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug >> -status -servername domain[234].com >> >> Is this expected? > > > Any comments/ideas regarding this? Further noticed that OCSP code probably > does not check the certificates SANs and matches only based on the CN in the > subject since the calls to whatever.domain.tld get stapled but to domain.tld > do not. > > Hi Igor, > > Testing OCSP on multiple certificates with different domains (based on the > CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com) > > Are you using multiple certs with same CN but different SANs ?
The certificates belong to completely separate domains, so not subdomains of the same domain like in your case. They are also wildcard certs so here is the layout: # ls -1 /etc/haproxy/ssl.d/ star_domain1_com.crt star_domain1_com.crt.ocsp star_domain2_com.crt star_domain2_com.crt.ocsp star_domain3_com.crt star_domain3_com.crt.ocsp # for i in `ls -1 /etc/haproxy/ssl.d/*.crt`; do openssl x509 -noout -subject -in $i; done subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain2.com subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain3.com The SAN only contains the certificates domain and nothing else, for example for domain3.com: X509v3 Subject Alternative Name: DNS:*.domain3.com, DNS:domain3.com The haproxy bind line in the frontend looks like: bind *:443 ssl crt /etc/haproxy/ssl.d/ ... And here is the output of the daily cronjob that updates the OCSP for haproxy: Date: Mon, 26 Nov 2018 05:00:01 +0000 (GMT) /etc/haproxy/ssl.d/star_domain1_com.crt: good This Update: Nov 25 17:39:11 2018 GMT Next Update: Dec 2 16:54:11 2018 GMT OCSP Response updated! /etc/haproxy/ssl.d/star_domain2_com.crt: good This Update: Nov 24 20:49:57 2018 GMT Next Update: Dec 1 20:04:57 2018 GMT OCSP Response updated! /etc/haproxy/ssl.d/star_domain3_com.crt: good This Update: Nov 25 14:09:00 2018 GMT Next Update: Dec 2 13:24:00 2018 GMT OCSP Response updated! I can confirm this is working as intended on other serves I have with 1.7.11 and 1.8.14, so it must be something specific to this one that I struggle to understand (to be even more confusing it is all being setup by Ansible in same way as everywhere else). Under what circumstances would a setup like this not work in terms of OCSP? Example: $ echo | openssl s_client -connect server:443 -tlsextdebug -status -servername domain1.com | grep -E 'OCSP|domain1' depth=0 C = AU, ST = New South Wales, L = Sydney, O = My Company, CN = *.domain1.com verify return:1 DONE OCSP response: no response sent 0 s:/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com subject=/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com Thanks for your input by the way, very much appreciated.